mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
disable-oom-alert-on-build-machines
infrastructure/roles/postfix/templates/main.cf.j2
Kristian Klausen 42d8aef2c3
postfix: Restrict authenticated senders to their own address(es) 
Please see the reject_authenticated_sender_login_mismatch option[1] for
more details.

For now service accounts are not restricted in any way, this should be
improved in the further.

[1] https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

Fix #365
2024-12-25 19:06:42 +01:00

121 lines
3.3 KiB
Django/Jinja
Raw Permalink Blame History

#
# {{ansible_managed}}
#
compatibility_level = 3.6
biff = no
smtputf8_enable = no
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
mydomain = {{inventory_hostname}}
myhostname = {{inventory_hostname}}
myorigin = archlinux.org
mydestination = archlinux.org
mailbox_transport = lmtp:unix:private/dovecot-lmtp
lmtp_destination_recipient_limit = 1
mailbox_size_limit = 0
message_size_limit = 104857600
recipient_delimiter = +
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
# enable for testing new config
soft_bounce = no
debug_peer_list =
# custom restriction classes
policy_check =
# postfwd (rate-limiting)
check_policy_service inet:127.0.0.1:10040
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_relay_restrictions =
smtpd_recipient_restrictions =
# policy services
$policy_check,
# allow our users
permit_mynetworks,
permit_sasl_authenticated,
# reject relaying
reject_unauth_destination,
# reject unclean mails
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
# some rate limiting rules only work after data so check it again
smtpd_end_of_data_restrictions =
$policy_check
unknown_address_reject_code = 550
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
submission_recipient_restrictions =
# allow postmaster
permit_sasl_authenticated,
reject
smtpd_milters = inet:localhost:11332
non_smtpd_milters = $smtpd_milters
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
internal_mail_filter_classes = bounce
indexed = ${default_database_type}:${config_directory}
smtpd_sender_login_maps = unionmap:{
static:{aur bbs gemini gitlab matrix archlinux wiki security},
${indexed}/smtp_sender_map,
${indexed}/users}
smtpd_helo_required = yes
smtpd_client_connection_rate_limit = 400
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
alias_maps = ${indexed}/aliases
alias_database = $alias_maps
virtual_alias_maps =
${indexed}/users
virtual_alias_domains = ${indexed}/domains
# reject mails to system users (nobody looks in those mailboxes)
local_recipient_maps =
${indexed}/users
$alias_maps
pcre:${config_directory}/transport.pcre
transport_maps =
pcre:${config_directory}/transport.pcre
wiki_bouncehandler_destination_recipient_limit = 1
authorized_mailq_users = root
delay_warning_time = 4h
# vim: set ft=pfmain:
View Git Blame Copy Permalink